Massive Android DDoS Botnet Derailed

WireX was being used to launch DDoS attacks against targets in multiple industries; Google removes 300 botnet-related apps from Play Store.

Researchers from multiple organizations teamed up to disrupt a massive Android-device botnet dubbed WireX that was being used to launch distributed denial-of-service attacks against targets in a variety of industries including hospitality, gambling, porn, and domain name registrars.

Google, which was informed of the threat a few days ago has scrubbed its Play Store mobile app store clean of some 300 malicious Android apps that were being used to infect Android devices and co-opt them into the WireX botnet. The company is currently in the process of removing the malware from an undisclosed number of infected Android devices around the world.

WireX appears to have first surfaced on August 2 and remained unnoticed till August 15th when researchers from multiple security companies began observing it being used in prolonged DDoS attacks, some involving a minimum of 70,000 IP addresses. An analysis of the DDoS attack data showed that it came from infected devices in more than 100 countries.

Among those who collaborated in taking down the threat were Akamai, Flashpoint, Cloudflare, Oracle Dyn, RiskIQ, and Team Cymru.

In a joint blog post today, researchers from the company described WireX as a volumetric DDoS attack targeting the application layer. The traffic generated by the compromised Android devices was mostly comprised of HTTP GET requests that appeared to come from valid clients and web browsers. In some cases the traffic resembled HTTP POST requests as well.

The sheer size of the botnet and the fact it was comprised of infected mobile devices from as many as 100 different countries is somewhat unusual for modern DDoS attacks, the researchers said.

"This botnet is capable of pushing HTTPS, which exhausts even more resources than a regular HTTP flood," says Allison Nixon, director of security research at Flashpoint. "The size of the botnet is also extremely large, and both of these qualities are uncommon" in DDoS attacks, Nixon says.

Tim April, senior security architect at Akamai, says the biggest observed attacks involving WireX were in the range of around 1.1 million well-formed HTTP requests per minute. "With the nature of application layer attacks, [bandwidth per second] numbers are not as meaningful since these requests tend to result in much more server load than network volume," he says.

One of the distinct identifying markers of traffic from the botnet was the presence of a user-agent string containing all the characters of the English alphabet in lower case and in random order. A user-agent string is the header provided as part of the HTTP request from the user-agent or browser that the user interacts with to access Web content.

"The use of a consistent 26-character length seemingly random user agents is what initially caught our attention that this might be something particularly interesting," says Justin Paine, head of trust and safety at Cloudflare.

The fact that both Akamai and Cloudflare had seen the same types of attacks also was significant and contributed to the decision by the different organizations to work together to mitigate the threat, he says.

Many of the Android applications that were used to infect devices were designed to look like benign media and video players, ringtone apps, and storage managers. The applications had hidden features in them that would secretly connect to malicious command and control servers when users downloaded and ran the applications.

The malicious applications took advantage of certain legitimate features in the Android service architecture to launch attacks even when the applications were not in use.

Team Takedown

The most unique aspect of this event was how the industry came together to collaborate on the takedown, Nixon says. The type of information-sharing that went into the effort should serve as an example of how industry collaboration can work, she says. "When companies are under attack, they often go radio silent, but in truth that is the moment when they need to be sharing information the most."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Vijay, another great article that is a heads up to every one of us in the network security field. Knowing how WireX was operating, how it was detected, and how it was disseminated, is a huge benefit from paying attention to DARKReading newsletters.

One more thing that I would like to know from you guys is: Where can I find a list of the Android PlayStore apps that were taken down as part of this WireX forensic investigation?

(I sure would like to know if I have any of these apps installed on my android devices, and I would like to advise my clients, family and friends about these poisoned apps.)

After the who, what , where, when, why and how, there is also an imperative to find out what ACTIONS to take next. Uninstalling infected apps is a clear next step, but where is the information & guidance on this?

Thanks for a very informative article. I always look forward to reading your work!

Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.